<?php

session_start();
include('db_connect.php');
$referer = 'https://localhost/planmytrip/bank.php';
$time = 2 * 60;
if (isset($_SESSION['token']) && isset($_SESSION['time']) && isset($_POST['token'])) {
    if ($_SESSION['token'] == $_POST['token']) {
        if ($_SESSION['time'] >= ( time() - $time)) {
            if ($_SERVER['HTTP_REFERER'] == $referer) {
                $fullname = mysql_real_escape_string($_POST['fullname']);
                $accountnum = mysql_real_escape_string($_POST['accountnum']);
                $req = 'INSERT INTO payments VALUES ("' . $fullname . '", "' . $accountnum . '", ' . $_COOKIE['total_price'] . ')';
                mysql_query($req) or die('Unable to proceed to the payment');
                mysql_close();
                $_SESSION['token'] = ' ';
                unset($_SESSION['token']);
                $_SESSION['time'] = ' ';
                unset($_SESSION['time']);
                die('OK');
            }
        } else {
            die('timeout');
        }
    }
}
die('XSRF');
?>
